Overview
overview
10Static
static
1004035f6fdd...f9.exe
windows7-x64
100ed3c87ce3...07.exe
windows7-x64
41ce291b079...c9.exe
windows7-x64
730e66f95b4...49.exe
windows7-x64
9335160bee7...cf.exe
windows7-x64
103d7dd597a4...67.exe
windows7-x64
142dcc46f9d...46.exe
windows7-x64
94fcaca23e9...f2.exe
windows7-x64
105994300c1c...a7.exe
windows7-x64
10627a5569d4...e3.exe
windows7-x64
763fa775052...2f.exe
windows7-x64
1645b8dfe73...79.exe
windows7-x64
164862ec699...1b.exe
windows7-x64
10741d75a02d...5e.exe
windows7-x64
107554a27519...2d.exe
windows7-x64
780bf2731a8...e4.exe
windows7-x64
108cc9f83e2e...92.exe
windows7-x64
79c80067790...95.exe
windows7-x64
9de1793d8db...df.exe
windows7-x64
3de6da70478...6e.exe
windows7-x64
1dfef52ffde...fe.exe
windows7-x64
7f3c6dac2d2...0f.exe
windows7-x64
10f682e063bc...40.exe
windows7-x64
10f7537bf47c...0b.exe
windows7-x64
10f89ee06ed2...6f.exe
windows7-x64
10Analysis
-
max time kernel
1562s -
max time network
1573s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 18:50
Behavioral task
behavioral1
Sample
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ed3c87ce3ae58f3dcbf46fa022acd3cbbe0b96af2e9f7a47eee0dd50af88507.exe
Resource
win7-20240215-en
Behavioral task
behavioral3
Sample
1ce291b079977e7a3f81c44b644fe1f63ae34a0a1a5c264e9f6085c184f7a1c9.exe
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
30e66f95b46c8162c921648e31f8c4146ba3f0580f4e5aa3b4c4de18687f6a49.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
335160bee7e253c4ffa69e5164c4a36fe5fb4be2c246958dfcc509d8202db5cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
3d7dd597a465d5275ef31d9e4f9dd80ed4de6139a1b3707cb3b0ffa068595567.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
42dcc46f9d6e6e8efe3f95bc09dbdfb6206a52a4347dbb652f315cec483a2046.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
4fcaca23e9cfb7e5448f41bb520c9c35c68fd795ac6b3707d0c64cf92738acf2.exe
Resource
win7-20240215-en
Behavioral task
behavioral9
Sample
5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
627a5569d47d6c66be6888e4f68f0a50e491404a08da1a7d9242c2d29e3e8ee3.exe
Resource
win7-20240221-en
Behavioral task
behavioral11
Sample
63fa775052a5c7258d44a00d9f2b4a9263f96fb7c61778cbb1ba9102fed2082f.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
741d75a02d0c4974968f0738a8b67104e1c24a58143b73b5ed1c25ac023b695e.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
7554a27519a2c960152cbe49ecef3948cf7bad12fa21cda62c8c236bbddb502d.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
80bf2731a81c113432f061b397d70cac72d907c39102513abe0f2bae079373e4.exe
Resource
win7-20240319-en
Behavioral task
behavioral17
Sample
8cc9f83e2ec4d36e50ec8407932ff3b8a7ad188a0cb95dad78028cce7921e492.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
de1793d8db7f58f0ef53bee7fb0942ef4c6c348e4a547b6cfeb74ffa8de56cdf.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
dfef52ffdea9d5129cd6bf0b3df2997db40091a4bdb7f356f48feec5ac5ebcfe.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f682e063bc2c822fbe3083507b0717b1f8bc244149ed9acd9a78566f5a79a140.exe
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
f7537bf47cc039b9cda59c844faa90a75ba80f08148166fd83ff10a0bf55120b.exe
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
f89ee06ed27ff00fa5d8f6a5811a9e57063c72c9ec7d478321cdf2a2f018866f.exe
Resource
win7-20240220-en
General
-
Target
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
-
Size
2.1MB
-
MD5
e4bf35b81bfaa0e789ad9461dbacb542
-
SHA1
dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
-
SHA256
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
-
SHA512
6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
-
SSDEEP
49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README-ISHTAR.txt
https://bitmsg.me/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
pid Process 2128 cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 2900 pHE3Pm.exe 2636 pHE3Pm.exe 984 pHE3Pm.exe 2044 pHE3Pm.exe 2212 pHE3Pm.exe 1616 pHE3Pm.exe -
Loads dropped DLL 1 IoCs
pid Process 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pHE3Pm.exe Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pHE3Pm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\pHE3Pm.exe" 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: pHE3Pm.exe File opened (read-only) \??\p: pHE3Pm.exe File opened (read-only) \??\x: pHE3Pm.exe File opened (read-only) \??\v: pHE3Pm.exe File opened (read-only) \??\y: pHE3Pm.exe File opened (read-only) \??\l: pHE3Pm.exe File opened (read-only) \??\m: pHE3Pm.exe File opened (read-only) \??\r: pHE3Pm.exe File opened (read-only) \??\s: pHE3Pm.exe File opened (read-only) \??\t: pHE3Pm.exe File opened (read-only) \??\w: pHE3Pm.exe File opened (read-only) \??\z: pHE3Pm.exe File opened (read-only) \??\b: pHE3Pm.exe File opened (read-only) \??\g: pHE3Pm.exe File opened (read-only) \??\h: pHE3Pm.exe File opened (read-only) \??\j: pHE3Pm.exe File opened (read-only) \??\q: pHE3Pm.exe File opened (read-only) \??\u: pHE3Pm.exe File opened (read-only) \??\a: pHE3Pm.exe File opened (read-only) \??\e: pHE3Pm.exe File opened (read-only) \??\i: pHE3Pm.exe File opened (read-only) \??\n: pHE3Pm.exe File opened (read-only) \??\o: pHE3Pm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000015c99-3.dat autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2636 set thread context of 984 2636 pHE3Pm.exe 48 PID 2636 set thread context of 2044 2636 pHE3Pm.exe 49 PID 2636 set thread context of 2212 2636 pHE3Pm.exe 50 PID 2636 set thread context of 1616 2636 pHE3Pm.exe 51 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1088 vssadmin.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\System32\\cmd.exe /c vssadmin delete shadows /all /quiet" pHE3Pm.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\mscfile\shell\open\command pHE3Pm.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\mscfile pHE3Pm.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\mscfile\shell pHE3Pm.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\mscfile\shell\open pHE3Pm.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2604 PING.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2636 pHE3Pm.exe 2212 pHE3Pm.exe 2212 pHE3Pm.exe 2212 pHE3Pm.exe 2212 pHE3Pm.exe 2212 pHE3Pm.exe 2636 pHE3Pm.exe 984 pHE3Pm.exe 984 pHE3Pm.exe 984 pHE3Pm.exe 984 pHE3Pm.exe 984 pHE3Pm.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeDebugPrivilege 2796 whoami.exe Token: SeBackupPrivilege 1936 vssvc.exe Token: SeRestorePrivilege 1936 vssvc.exe Token: SeAuditPrivilege 1936 vssvc.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe Token: SeDebugPrivilege 2548 whoami.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2900 pHE3Pm.exe 2900 pHE3Pm.exe 2900 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 2900 pHE3Pm.exe 2900 pHE3Pm.exe 2900 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe 2636 pHE3Pm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1732 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 28 PID 2972 wrote to memory of 1732 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 28 PID 2972 wrote to memory of 1732 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 28 PID 2972 wrote to memory of 1732 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 28 PID 2972 wrote to memory of 2900 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 33 PID 2972 wrote to memory of 2900 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 33 PID 2972 wrote to memory of 2900 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 33 PID 2972 wrote to memory of 2900 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 33 PID 2972 wrote to memory of 2128 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 34 PID 2972 wrote to memory of 2128 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 34 PID 2972 wrote to memory of 2128 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 34 PID 2972 wrote to memory of 2128 2972 04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe 34 PID 2900 wrote to memory of 2636 2900 pHE3Pm.exe 36 PID 2900 wrote to memory of 2636 2900 pHE3Pm.exe 36 PID 2900 wrote to memory of 2636 2900 pHE3Pm.exe 36 PID 2900 wrote to memory of 2636 2900 pHE3Pm.exe 36 PID 2128 wrote to memory of 2604 2128 cmd.exe 37 PID 2128 wrote to memory of 2604 2128 cmd.exe 37 PID 2128 wrote to memory of 2604 2128 cmd.exe 37 PID 2128 wrote to memory of 2604 2128 cmd.exe 37 PID 2636 wrote to memory of 2776 2636 pHE3Pm.exe 38 PID 2636 wrote to memory of 2776 2636 pHE3Pm.exe 38 PID 2636 wrote to memory of 2776 2636 pHE3Pm.exe 38 PID 2636 wrote to memory of 2776 2636 pHE3Pm.exe 38 PID 2776 wrote to memory of 2796 2776 cmd.exe 40 PID 2776 wrote to memory of 2796 2776 cmd.exe 40 PID 2776 wrote to memory of 2796 2776 cmd.exe 40 PID 2776 wrote to memory of 2796 2776 cmd.exe 40 PID 2636 wrote to memory of 2888 2636 pHE3Pm.exe 41 PID 2636 wrote to memory of 2888 2636 pHE3Pm.exe 41 PID 2636 wrote to memory of 2888 2636 pHE3Pm.exe 41 PID 2636 wrote to memory of 2888 2636 pHE3Pm.exe 41 PID 2888 wrote to memory of 876 2888 eventvwr.exe 42 PID 2888 wrote to memory of 876 2888 eventvwr.exe 42 PID 2888 wrote to memory of 876 2888 eventvwr.exe 42 PID 876 wrote to memory of 1088 876 cmd.exe 44 PID 876 wrote to memory of 1088 876 cmd.exe 44 PID 876 wrote to memory of 1088 876 cmd.exe 44 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 984 2636 pHE3Pm.exe 48 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2044 2636 pHE3Pm.exe 49 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 2212 2636 pHE3Pm.exe 50 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 1616 2636 pHE3Pm.exe 51 PID 2636 wrote to memory of 2140 2636 pHE3Pm.exe 52 PID 2636 wrote to memory of 2140 2636 pHE3Pm.exe 52 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.docx"2⤵PID:1732
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exeC:\Users\Admin\AppData\Roaming\pHE3Pm.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe"C:\Users\Admin\AppData\Roaming\pHE3Pm.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Roaming\pHE3Pm.tmp"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami /all4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet5⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:1088
-
-
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~p9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:984
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~m9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2044
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~p9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~m9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami /all4⤵PID:2140
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 localhost > nul & del /f /q "C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
PID:2604
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cbf468d5e3d2d6fe3023d6dc32c9e5fb
SHA1b965fe1580e236f34ced39cf7c36edfe96990c81
SHA256d721c952dcb8cd2f2fdf81a4d59d88d94345fc0986dfc6fd03d9d6b4a523e34d
SHA512b4eba261ea6a6e13d8d0a52f3448c6c8096b994ea80768cdb9da78d570032d0630eb39ddd58265f8d7d2bd40c0bb4ea8ce04362fd0fc60977607f2ca3174236e
-
Filesize
1KB
MD57c7f0401533ac0f3bda9395cdc31a297
SHA1caee409e0a1faa857de3e18fefa19c144ccb0f5c
SHA25679edc980fd54cc6a232caed93852d18b98e8ae41e0858dfb32cc39c42ce3c6c6
SHA5127c47a66af2176f0ffde73b0a643d01cf6c4b41f5acf98117e8963cad02d89cfbea6b95d88fa05f8469671bf20a1736fff3b76fa44fc2a210d928e92266444abf
-
Filesize
1KB
MD5d0b60b9da3f226f60e9ff83521494239
SHA1fd5080ed66bb3e17849d553ce97c25571f4d16d3
SHA25625a6ca4bcaec2618aa5e0d997a2ec767abdf337ddb81a6a2cd3553724902f695
SHA512d6c61cea2ad38a8f425fab766cdff9e58a9f642dda6f340836cfaa509f859b7b4ffd75e5d583a8c8154d05f0c7bfb7b0c0dc4181eaefcc1d2c6879037cf2838c
-
Filesize
1.2MB
MD5369ab221049cd9560602b9e5aebf2dda
SHA1029ec59baaee07a6317b42c446f02d7192766812
SHA256d8c61b75dcffc31bb0016d4164f7e21d767b70f53e775da8fb964928782e13da
SHA51214aa5aef2c682e3220c59f9ee143befe5b5d9f50d4a71028d4161098ff33a6f75348622ab837c556843feaad2300ec51d5affa92dea364fd8d751c426bd717c3
-
Filesize
112B
MD536427ecb2a0faf13af3047c51b29f9c5
SHA19a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
SHA5124e1ff95c087545b9fe56bbc008516d1e0bbecd9cae246d7baecd7773404e24678ec22b515ec6e6f715081fd079e6d400aa4060abaf9346cdc609873be76833f0
-
Filesize
276B
MD5b357929e7562d4866aa5958c9575895c
SHA1ee700b2b7664cb45619472df2f41e6b114ca1aef
SHA2569c0249341882665020d594e260fcd4fbdeb2cecae4f76609bbc58167908c392f
SHA51288481327fee6c707ec0e145021f3c7710a053fa8c1da47e7897f7c9f9526c5f70fc1d5e1dc1a2beaf22b212063cf37a02ddcc1d16743d032b899b0aadc6945f0
-
Filesize
2.1MB
MD5e4bf35b81bfaa0e789ad9461dbacb542
SHA1dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
SHA25604035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
SHA5126635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d